ShadowWali Malware Discovered, Attacking Japan Since 2015

An earlier version of Wali, which is a backdoor used for targeted attacks, has been uncovered, indicating that its operators have been attacking Japanese businesses since at least 2015.

Dubbed ShadowWali by security firm Cybereason, ShadowWali gathers information about the compromised machines and their networks, in addition to stealing sensitive information and credentials. Wali’s operators then can use this information to move laterally in an organization and compromise yet more machines.

There are many similarities between Wali and ShadowWali, including clues that both were created by the same author, the highly anonymous “user 123.” Also, both were developed using the xxmm builder. Both also are completely bloated with junk code, with file sizes that can reach 200MB. This is a tactic used to evade inspection by traditional antivirus software and other security products, under the premise that certain security solutions might not inspect large files.

“The timestamp of most of the observed [ShadowWali] backdoor samples dates back to 2015 and continues until mid-2016,” Cybereason researchers explained, in an analysis. “Wali’s timestamps, meanwhile, run between 2016 and 2017. This could be viewed as either an older version of Wali or as a separate, older project the 123 author developed.”

In terms of differences (or tweaks from one version to the next), most samples of Wali are observed injecting malicious payloads to Internet Explorer. However, ShadowWali also injects to LSASS.exe process and to explorer.exe, Cybereason said. Wali’s loader meanwhile comes with both a 32-bit and 64-bit payload, while ShadowWali tends to deliver only 32-bit payloads. Both also use different process-injection techniques.

“Whether it’s a case of two different backdoors or an evolution of one malware over two years is a matter of interpretation,” researchers noted. “To date, Wali and ShadowWali are still actively targeting Japanese organizations.”

The identity of the 123 author remains unknown, but there are indications that suggest that the threat actor resides in Asia. Many of the C&C domains and IPs lead to legitimate Japanese and/or Japan-related websites that had been compromised. Additionally, some of the C&C domains that were observed are suspected to be fake websites that mimic the sites of legitimate Japanese businesses. According to Cybereason, many of the compromised sites are hosted by one of Japan’s largest hosting companies: the GMO Internet Group.

“Compared to other modern backdoors, the xxmm backdoor family doesn’t stand out or seem very sophisticated,” the researchers noted. “However, the backdoors are proven to be effective as they successfully infected dozens of endpoints over two years, while evading traditional security products.”